Accounts

February272014

The Minister of Culture with the president and CEO of AEDE. Photo from eldiario.es, under the CC BY SA 3.0 license.

A draft law that would amend Spain's Intellectual Property Law — also known as the Sinde Law – was brought before Parliament on February 14. The bill aims to combat Internet piracy, restricting in passing the use of links and citations of publications by imposing a so-called “Google tax” on websites that use them.

The bill would amend Article 32.2 of the current law, establishing an obligation of paying a “compensation” to the media for utilizing fragments of its content. As 20minutos.es [es] reports:

The bill passed this Friday authorizes “the use of insignificant fragments” of news, opinion articles, or entertainment content without authorization on behalf of the right holders, but grants the authors “an inalienable right” to compensation.

This measure would initially affect aggregators of news like Google News, Menéame [es], or Flipboard. The tax would be collected by CEDRO, a copyright management entity whose main partners are the most important communications groups in the country, such as Prisa, Zeta, and Planeta, and would then distribute the money equally among its members. According to David Maetzu's blog, Del derecho y las normas [es], this fee would apply:

(…) not only to the content that “traditional” media (press, radio, television) puts on the web, but rather any “website that is periodically updated.”

This includes any blog, e-magazine, etc. that is updated with new content. Therefore, any blogger would have the right to charge the website to which they are added.

And it is an inalienable right (…) meaning even if you use a Creative Commons license, the website that adds you will have to pay the management company in your name. (…) even though you are not associated and logically, upon not being associated, you will not be paid anything and this money will be allocated amongst its other partners.

The representatives of the major media groups have been very satisfied with the measure, which they view as a just compensation for the loss of readers and money that they have been experiencing in recent years. In a statement, the president of the AEDE – the association that brings together the country's leading media, the same ones that make up the CEDRO management entity – said [es],

The amendment to the Intellectual Property Law, which includes the right to compensation from the aggregators, is the most important step that a government in Spain has taken to protect the press. I am sure that this path that just opened will be followed by other European countries.

Nonetheless, the vast majority of online media, bloggers, and Internet users are of the opinion that with this measure, traditional media is “biting the hand that feeds them,” given that an important segment of traffic to their sites comes from news aggregators. Ignacio Escolar, the director of eldiario.es, says in his blog [es]:

Being on Google is optional. Putting buttons for Twitter, Facebook of Menéame on your news publication is also voluntary. No one is forcing any newspaper to be “robbed” by a news aggregator or a search engine that links to its articles. On the contrary: it is quite simple to disappear from Google, but none of the media that celebrates the new digital fee these days would want to get out of there.

In fact, all of the media that defends the Google tax have social media sharing buttons on their pages so that the reader can send the links for different social networks and aggregators. In the screenshot below of the newspaper El Mundo, published by Carlos Herrero in his blog [es], readers can look at a text that criticizes “the absolute impunity with which news aggregators are being enriched at the expense of the labor of others,” right next to the aforementioned buttons:

That which is published in the media has never been read, commented on, debated, or shared as much as it is now, the online press is experiencing a new life thanks to social networks, blogs, and aggregators, and now this is at risk of changing and being lost. (…) Another bailout, now of the media industry.

Enrique Dans, professor at the IE Business School and a PhD in Information Systems, goes even further on his blog [es], and believes that with this measure, the government wants to buy the submission of the mainstream media:

The AEDE website, inoperative as a result of a DoS attack from Anonymous, which posted a message on its homepage calling the “AEDE's Online Boycott of the media”. Photo from alt1040.com under the CC BY-NC 2.5 license.

[The] government, obsessed with the treatment of the media and worried about the next elections, has decided to take the positions it didn't control by assault: by sharing the juicy pie of institutional advertising and putting this change in the law on the table, it has already achieved changes in the leadership of the major newspapers that have ended up hostile: following the changes in the direction of La Vanguardia and El Mundo, now we see the reveal at El País, completing a movement in traditional news sources that was actually planned before the People's Party even came to power.

Menéame, the main aggregator harmed by the new law, has issued a statement [es] in which they express their opposition of the tax, review the traffic that they provide to the mainstream media, and affirm that upon passing the law, they will have to choose between “blocking links to local newspapers, leaving Spain, or shutting down.” Meanwhile, users of the aggregator have begun their own “war” against the AEDE media [es], scoring their news negatively to remove them from the top positions, while Anonymous hacked the AEDE website.

The draft law has also failed to receive support from popular online newspapers like 20minutos.es and eldiario.es, which has been particularly critical of the tax [es]. Similar legislation has already been unsuccessfully attempted to be put in place in other countries like Germany, France, and Belgium [es], where traditional media was “punished” with not appearing on Google for six years until they resigned to charging the fee.

January062014

Screen capture of Sina Weibo message when a user opens a deleted page.

Famous law professor at Peking University He Weifang greeted his followers in the new year on Sina Weibo, China's most popular social media platform, with a goodbye message. The professor, who has often been attacked online for his support of constitution rights, is one of many opinion leaders who have fled the microblogging website since China has upped its censorship and prosecution efforts.

[Wish you well in New Year] I express sincere wishes and thanks to Weibo friends with the coming of the new year! You have given me encouragement and I've learned plenty of new knowledge from your comments. Good communication lets me find true feelings in a virtual space. I've felt upset seeing some familiar accounts gradually disappear throughout the past year. So now it’s the time for me to call it quits with Weibo. Goodbye!

Professor He said he plans to leave Weibo on the first day in 2014. I wish it’s just a temporary emotional response. Without Weibo, people would be dumber nowadays. Speaking the truth is a social responsibility and a physical need.

[Is it about time to quit Weibo?] Sensitive words are increasing, meanwhile the phenomena of deletion, censorship and banning user accounts are so common. Many friends have quit Weibo and gone silent. The atmosphere on Weibo is so chilling. Meanwhile, moderate voices and discussion of political transformation have received less and less responses. Should I quit Weibo as well? Facing a new year, maybe I shouldn't spend too much time talking on the platform. There are too many more effective things that I should do for the nation and for society.

China's crackdown on online “rumor-mongering”, widely seen as a movement to suppress criticism of the ruling Communist Party (CCP), has effectively silenced Weibo, with high-profile bloggers reining in sensitive posts for fear of detention. Since the launch of the nationwide campaign in August 2013, hundreds of people have been detained across the country on charges of libel or “inciting trouble” for posting unverified or critical information on Weibo.

In addition, China's top court fueled public fear by publishing a judicial interpretation in September that said users can be prosecuted for posting rumors seen by more than 5,000 people, or forwarded more than 500 times. The main target of the crackdown are liberal public opinion leaders, in particular, citizen right lawyers and activists, whose Weibo accounts have been banned or deleted.

Below is a list of prominent public opinion leaders who have been prosecuted and harassed in the past few months:

- Xu Zhiyong, an anti-corruption campaigner who has called for officials to disclose their wealth, was arrested in August and his account on Weibo was deleted.

- Wang Gongquan, an outspoken venture capitalist, was taken away by police in September on charges of disturbing public order after he helped lead a campaign for the release of another activist.

- Pu Zhiqiang, a citizen right lawyer, has seen his account in Weibo banned and he has to change his account names to publish posts.

Xu, Pu and Wang are all listed on Foreign Policy’s Global 100 Thinkers of 2013.

- Zhu Ruifeng, one of China's most prominent whistleblowers, discovered that authorities had deleted his four microblog accounts in July after he released a video of a district party chief in the southwestern city of Chongqing having sex with a mistress.

- Liu Hu, an investigative journalist who has accused deputy director of the State Administration for Industry and Commerce of dereliction of duty, was arrested on a charge of defamation in September, and his Weibo account removed.

- Zhang Lifan, a prominent scholar of modern Chinese history and outspoken critic of Mao Zedong, found that all of his microblogs and columns were removed simultaneously without warning or any tip-off on the same day the Third Plenum of the Communist Party ended.

While the ruling party certainly gains an upper hand in the ideological battle, it is also slowly killing Sina Weibo, a tool to build trust among people. Chinese venture capitalist Wang Ran lamented the situation:

和微信上的各种爆料比，微博也快成新闻联播了。

In comparison with breaking news in WeChat, Weibo is turning into Central Television's National News Broadcast Program [party propaganda].

Popular online commentator and Sina Weibo administrator Old Xu proclaimed the coming death of Weibo:

微博成为新闻联播，那就离死不远了!

Weibo would be close to death when it becomes [state-owned] CCTV News!

November152013

A longer version of this post originally appeared on Citizen Lab’s research blog.

A new generation of instant messaging apps — offering social networking features, video and photo sharing, e-commerce, gaming, and more — is dominating markets across Asia and moving into countries beyond the region. New research from the Citizen Lab at the University of Toronto investigates government pressures on Asian companies developing instant messaging apps, information controls in the apps, and implications for users.

The Asia Chats project from the Citizen Lab at the Munk School of Global Affairs, University of Toronto is dedicated to analyzing instant messaging (IM) applications used in the region with an initial focus on WeChat (Tencent, China), LINE (LINE Corporation, Japan1), and KakaoTalk (Kakao Corporation, South Korea). Our reports will include technical investigation of censorship and surveillance, assessment of the use and storage of user data, and comparison of the terms of service and privacy policies of the applications. The first report by Senior Security Analyst Seth Hardy examines the implementation of keyword censorship for LINE users based in China and introduces a tool we developed that allows users to circumvent censorship in LINE. A concise overview of our findings follows.

LINE’s rapid growth and privacy concerns

Released in June 2011, popular instant messaging app LINE now has 280 million registered users. Outside of its original market of Japan, LINE has 18 million users in Thailand, 17 million in Taiwan, and 14 million in Indonesia. In December 2012, LINE launched a Chinese-branded version of the app, Lianwo (连我), in partnership with Qihoo 360 Technology Co., Ltd.2 The head of LINE’s Chinese division has said that they aim to make it the second biggest mobile IM company in China, after Tencent’s WeChat.

As more and more people begin to use chat apps like LINE, governments have asserted an interest in monitoring communications over these applications for “criminal activity”. A close look at LINE suggests that the app, intentionally or unintentionally, provides ways for law enforcement to eavesdrop on private communication. Citizen Lab researchers verified that LINE chat traffic is sent unencrypted over 3G networks on the latest version of the client. A person with the capability to intercept these messages can obtain chat history, which includes everything from the date and time of the chat to the content of the chat itself. Although mobile 3G networks are encrypted by default, this encryption is implemented at the carrier level, meaning that Internet service providers (ISPs) and telecoms can potentially decrypt the traffic. Commentators have speculated that LINE may have intentionally left 3G unencrypted to allow authorities to access data at the carrier level.

Regionally-based keyword censorship

On May 20, 2013, Twitter user @hirakujira found a list of 150 blocked keywords within the iPhone version of LINE intended for users based in China. To learn more about how censorship in LINE works we reverse engineered the Android LINE application version 3.9.3,3 downloaded from the Google Play store. We found that when a user’s country is set to China during installation, the censorship function is activated. A list of censored keywords is then downloaded from Naver’s server and messages that contain any of these keywords are blocked.

Screen capture of notification users receive when attempting to transmit a keyword on the blocked list.

When LINE is installed, it asks for the user’s country and phone number. The service will send an SMS to this phone number with a four digit code for verification. If the country code of the phone number and the region selected do not match, the program will display an error and suggest the user try again later. Users began sharing instructions for changing their region settings in order to access regionally-specific downloadable content such as stickers (e.g. LINE in Indonesia, for instance, had stickers to celebrate the holy month of Ramadhan.) Downloadable content such as stickers is one of the ways LINE monetizes its service. The previous method for changing regional settings no longer works because newer versions of LINE now encrypt region data, likely to prevent users from changing their region settings and have access to downloadable content that they would otherwise not have access to or have to pay for.

Our research shows that LINE has been capable of censoring specific keywords since at least version 3.4.2, released on January 18, 2013.4 LINE was launched in China in December 2012 and it appears that keyword censorship was enabled soon after the launch. It is likely keyword censorship for users based in China is maintained by Qihoo 360, but exactly how it is managed is not clear. Comparing the mechanism and targeted keywords for censorship in LINE with those used by Qihoo 360 products and WeChat is an interesting area for further research.

LINE’s censored keyword-list includes content related to disgraced former Communist Party of China (CPC) politician Bo Xilai, the June 4 1989 crackdown on Tiananmen Square, infighting or factions within the CPC, Falun Gong, and various controversies like the fatal Ferrari car crash that involved the son of a party official close to President Hu Jintao and Wen Jiabao family’s secret wealth. Citizen Lab Research Fellow Jason Q. Ng has translated both the original keyword list discovered by @hirakujira, and the latest versions we extracted from Chinese to English and describes the context behind them. The first keyword list discovered by @hirakujira is described in a series of blog posts (full list available here) and the most recent keyword list uncovered by Citizen Lab and translated by Ng is available here.

Interestingly, LINE’s censored keyword-list and the lists that we found in our previous research of two other Chinese IM clients, TOM-Skype and Sina UC, are not identical. While some of the topics are the same (e.g. June 4, Falun Gong, etc) only 27 keywords out of the 370 in the LINE list are exact matches with the 4,256 unique keywords in the TOM-Skype and Sina UC dataset.

This lack of overlap suggests that no common keyword list was provided to these companies by government authorities. Previous studies on censorship in blog services and search engines localized for the Chinese market have found similar inconsistency between products. Overall, these findings suggest that Chinese companies may be given general guidelines from authorities on what types of content to target, but have some degree of flexibility on how to implement these directives.

How to get around keyword censorship in LINE

As the keyword censorship implemented in LINE is only active if a user’s installation is set to China, it can be disabled if the client is configured to another region (e.g. Canada or the US). To assist users the Citizen Lab has released the LINE Region Code Encrypter Tool for changing regions in the LINE client to disable regionally-based keyword censorship.

Future research

LINE is facing a perennial tension between appealing to a broad user base and complying with government-mandated information control regulations (as in China). These challenges demonstrate the difficulty of operating an application in multiple jurisdictions and the unique characteristics of Asian markets with restrictive communications environments. As Asian IM applications continue to grow in popularity, so too will pressures to enact information controls and disclose user data. The Citizen Lab will continue to analyze the rise and implications of these applications in the Asia Chats series.

For a detailed technical analysis of the findings described here see this report by Citizen Lab’s Senior Security Analyst Seth Hardy.

Footnotes

1Originally the application was developed by NHN Japan the Japanese arm of Naver Corporation (formerly NHN) based in South Korea. Following the success of the application Line Corporation was formed as a subsidiary of Naver.

While the Mexican government has long been suspected of purchasing surveillance equipment, the frequency of these purchases and the level of public funds allocated to them are rapidly increasing. Last February, the New York Times published an investigative report on USD 355 million in expeditures by the Mexican Ministry of Defense for sophisticated surveillance equipment. Six months prior to the Times investigation, Carmen Artistegui, a renowned investigative journalist in Mexico, published a report documenting five contracts from the National Secretary of Defense for the purchase of surveillance technologies. All five contracts were confidential and granted to a single company headquartered in the state of Jalisco called Security Tracking Devices, Inc.

In March of 2013, the University of Toronto’s Citizen Lab published “You Only Click Twice: FinFisher’s Global Proliferation,” in which researchers conducted a global Internet scan for command-and-control servers of FinFisher surveillance software. Citizen Lab found FinFisher servers hosted by two Mexican Internet service providers: Iusacell, a small service provider, and UniNet, one of the largest ISPs in Mexico.

It was clear that the findings revealed potential legal violations. As part of my work investigating surveillance in the Northern Triangle for Citizen Lab's Cyber Stewards project, I shared this research with human rights groups and technology collectives in Mexico.

I connected with human rights activists in Mexico City and we worked together to raise awareness about civil society efforts in other countries that have resulted in legal action against the use of surveillance technology by repressive regimes, including cases against Amesys in France and Finfisher in Pakistan. A coalition of human rights lawyers and international experts, including Citizen Lab, ISOC Mexico, Privacy International, and other organizations, discussed the possibility of taking legal action to reveal the identity of those parties responsible for the purchase and deployment of FinFisher software in Mexico. At the time, however, we did not have enough information to present a strong case.

In May of 2013 Citizen Lab published “For Their Eyes Only: The Commercialization of Digital Spying,” which once again implicated Mexican ISPs in deploying FinFisher surveillance software. Two Mexico City-based human rights non-governmental organizations, Propuesta Cívica and ContingenteMx, requested a verification procedure regarding FinFisher’s presence in Mexico with the Instituto Federal de Acceso a la Información y Protección de Datos Inicio (Federal Institute for Access to Information and Data Protection or IFAI), Mexico’s privacy authority. Their filing cited Citizen Lab’s FinFisher research.

“For Their Eyes Only,” report by Citizen Lab.

IFAI is legally mandated to protect citizen data and investigate possible personal data violations by private sector entities, as provided by the Federal Law on Personal Data Protection Held by Private Parties. It is also mandated to impose sanctions if a law has been breached. IFAI has the ability to launch a procedure either on its own initiative or at the request of affected parties. If, after preliminary findings, the IFAI determines that there is sufficient evidence to proclaim that a data breach has taken place, a formal investigation and possible sanctions will follow.

IFAI subsequently opened an official preliminary inquiry asking ISPs whether they were hosting FinFisher servers and what measures they were taking to protect the data of their clients. At the same time, Federal Deputy Juan Pablo Adame proposed a resolution before the Mexican Senate and Congress encouraging IFAI to investigate the use of FinFisher with reference to Citizen Lab’s findings and the requests submitted by civil society to investigate the deployment of FinFisher (registered as IFAI/SPDP/DGV/544/2013 and IFAI/SPDP/DGV/545/2013). The Permanent Assembly approved Adame’s motion, thereby imposing an obligation on the data protection authority to answer all questions submitted by the government.

After the Congress and Senate passed a joint resolution, IFAI announced that it required further information from ISPs and government agencies with powers to acquire surveillance technologies before deciding whether it would open a verification process for Iusacell and UniNet. UniNet denied responsibility for any programs that clients run on their servers, while Iusacell made no comment.

Purchase of FinFisher confirmed by authorities

On July 6, following the Congressional resolution and an IFAI public statement announcing the inquiry, YoSoyRed published a leaked contract and other documents implicating the Mexican Federal Government in the purchase of FinFisher software. The Procuraduría General de la Nación (Office of the Prosecutor or PGR) purchased the surveillance tool from Obses, a security contractor, for up to USD 15.5 million. José Ramirez Becerril, a representative from Obses, unveiled details about the equipment provided to PGN and claimed that other Mexican governmental institutions purchased the software as well. Mexican authorities confirmed that the equipment was purchased directly rather than through the governmental bid system that usually characterizes defence contracts so as not to “alert organized crime.”

The media heavily scrutinized the leaked FinFisher contracts. The press, however, was more concerned about the amount of public funds allocated to purchasing these technologies than about the technologies themselves. In circumventing the public bid procedure, FinFisher and another surveillance tool called Hunter Punta Tracking/Locsys were sold at an inflated price to Mexican authorities during the Felipe Calderon administration. In response, authorities indicated they would prosecute culpable individuals who conduct illegal surveillance activities. To date, no criminal complaint has been filed, despite strict provisions that prohibit the interception of communications unless authorized by a federal judge and a warrant. The full content of the contracts has not yet been made public.

As the scandal unfolded, Congress offered help to activists on the ground demand greater transparency and accountability. On July 11, the Mexican Senate and Congress passed a joint resolution in which they demanded a full investigation and disclosure of any contracts between the Secretary of Interior, the PGR, and any other relevant institution. They were asked to send a full report about the purchase of surveillance and hacking systems capable of monitoring mobile phones, electronic communications, chats, and geolocation data from Obses, Gamma Group, Intellego, and EMC Computer Systems, and its affiliates. Congress also called for laws to regulate and restrict purchases of surveillance equipment, extensively quoting the Citizen Lab report in their request. The commercial entities named have not yet responded. IFAI also informed Congress that they would continue the investigation.

Iusacell and UniNet continued to deny hosting FinFisher servers. Iusacell indicated that the servers were located in Malaysia. Further evidence indicates otherwise: Wikileaks’ and La Jornada’s Spyfiles 3 publication revealed that FinFisher developers visited and were active in Mexico.

All Mexicans enjoy a constitutional right to privacy according to the recently amended Article 16 of the Mexican Constitution and the Federal Law on the Protection of Personal Data held by Private Parties, a general privacy framework. IFAI’s mandate ensures full monitoring powers and verification of compliance with these laws. If IFAI fails to open a full investigation, criminal and constitutional complaints can follow and any failure to investigate will be challenged under the basis of flagrancy. Technical assistance is often necessary to test devices and find examples of infected individuals to support any legal course of action.

IFAI’s investigation is currently ongoing. The Citizen Lab and Cyber Stewards Network will continue supporting the case and helping both the Mexican authorities and the citizens to understand how surveillance systems operates so that they can evaluate whether those employing them are breaking the law.

Renata Avila is a researcher with Cyber Stewards, an international network of South-based cybersecurity scholars, advocates and practitioners facilitated by the University of Toronto's Citizen Lab.

September162013

Carna Botnet geovideo of 24 hour relative average utilization of IPv4 addresses observed using ICMP ping requests. This work has been released into the public domain by its author, Internet Census 2012.

In the early days of the Internet, the United States established a near monopoly over Internet protocol and everything that flows from it — code, regulation, policy and an unthinkably powerful Internet technology industry. The NSA leaks provide a chilling example of the consequences that this degree of dominance can have for the world.

Today, most of the ICT private sector is based geographically in the US. This has made it possible for the US government to develop some of the most influential policies and practices that affect the exercise of human rights, like the right to privacy, on the global Internet. Foreign governments have little ability to influence or regulate the actions of companies like Google or Facebook beyond their national borders. Even within their jurisdictions, this can prove difficult.

Why should we assume that these policies will work for the rest of the world?

This dynamic can bring both gains and losses. The Global Online Freedom Act, a bill introduced in Congress that would hinder the ability of US companies to sell surveillance and censorship technologies to repressive governments, could have a positive impact on human rights. But many policies do just the opposite. What we now know about the NSA proves that, in essence, the US government created a surveillance regime not for just for its own country, but for the entire world. It would not be possible for the NSA to spy on millions of Internet users if Google, Facebook, Yahoo! and other leading companies were not located in the US.

We had previously hoped that the US government would regulate these giants with an eye toward the human rights of users worldwide. But the Snowden leaks prove that in some cases, they are doing the reverse. Here, they have taken advantage of their unique situation in order to create what is likely the largest electronic surveillance regime in human history.

For those of us who belong to what is now called “the global south,” the legitimacy of these policies is the same whether it comes from US government policy makers, or senior officials in Silicon Valley. We have not been involved in Washington political processes, nor have we taken part in technology companies’ decision-making about products and services. Of course, the US does not have an obligation to ask our opinion or to take our personal needs into consideration. But the legitimacy that the US has to impose a specific code of law on the Internet is similar to that of the private sector: Both can do so without taking into account the rights and interests of the rest of the world. As a result, we are left with a paradox: Either we accept some kind of “balkanization” of policy — wherein every society has the capacity to influence code through its own policies — or we accept that the only way to move forward is through decisions made by international agreements.

But both of these options are fundamentally flawed. Balkanization could make it impossible to maintain the bountiful “borderless” nature of the Internet as we know it today. And for international agreements to be legitimate, recognized and enforced by national governments, strong and serious engagement would be required from countries around the globe. Unfortunately, this does not yet appear to be happening. For example, there are just two Latin American member countries in the Freedom Online Coalition, a group of governments that came together in 2011 to facilitate a global dialogue about the responsibilities of governments to actively further freedom on the Internet. Participation of other countries from the same region in the annual Internet Governance Forum is equally low.

In today's Internet age, software and hardware designs significantly impact our ability to exercise our rights. That is what Larry Lessig posited many years ago when he wrote that “code is law.” For that reason, and because the “code” is drafted mostly in the US, it is reasonable to question — and to doubt — the legitimacy of these policies for the rest of the world. The question is whether this will remain the status quo, or whether some force, corporate or political, will bring about a shift to a more equal, human rights-protective global Internet.

Eduardo Bertoni is the Director of the Center for Studies on Freedom of Expression and Access to Information (CELE) at Palermo University School of Law, Argentina. From 2002-2005 he served as the Special Rapporteur for Freedom of Expression for the Inter-American Commission of Human Rights at the Organization of American States.

August292013

When a country's leading Internet search provider offers additional services like news and online shopping, how does it affect user rights? Recent expansions by South Korean portal service Naver, which dominates the national market, have triggered controversy around this question for lawmakers and users alike.

Tensions came to a head last week at The Yeoido Research institute, South Korea's incumbent conservative party think tank, where party members held a public hearing on Korean Internet industry market regulation entitled “Internet Regulation for Fairness and Win-Win.” Participants discussed why and how the government needs to regulate dominant popular search portals, in particular NHN‘s Naver service.

For Search and Online Content, Naver Rules

Founded in 1999 by former Samsung employees, Naver has become South Korea's most popular search engine, having captured over 70% of the market share since 2011. But Naver offers much more than just search services. It provides its own curated content ranging from news, to real estate, to shopping, to webtoons. Considering the virtual limit of Korean content online that lasted through the late 1990s, this business scheme is understandable — regulatory restrictions made it genuinely difficult to create online content, so it was natural for Naver to become a major content creator. But today its growing influence on the market raises serious questions. Can a search engine provide neutral, unbiased search results when it is also a major online content provider?

Screenshot of Naver search. Naver displays its own content at the top of the search, followed by sponsored links.

Many have criticized [ko] Naver for taking an imbalanced approach to content presentation. For example, if you search the term “lung cancer” on Naver, the first result shows [ko] an entry on lung cancer in Naver's encyclopedia [ko]. This is followed by paid advertisements for hospitals that specialize in lung cancer. In contrast, a search for “lung cancer” on Google yields the Wikipedia “lung cancer” entry as a first result.

Some have accused Naver [ko] of deliberately distorting its real-time popular search queries. Given that Naver has not offered a detailed public explanation on their search criteria, concerns about this allegation persist. In general, Naver's opponents argue that the “walled garden” bias in search results not only threatens free competition, but also hinders users’ ability to conduct neutral searches for information online.

Naver. Photo by Flickr user Joongi Kim. (CC BY-SA)

News Navigation In Naver

Critics also argue that Naver's structure and market dominance has created a biased online media environment [ko] for South Korea. Most Korean Internet users find news online not by visiting a news organization's homepage, but rather by doing a search, typically through Naver's news cast service [ko]. This has forced news organizations to compete not only with each other, but with Naver's news content. Many believe this has triggered a decline both in the quality of online news and the diversity of media outlets publishing online.

Leading newspapers that traditionally held the majority market share for advertising in Korea, such as The Chosun Ilbo, JoongAng Ilbo, and The Dong-a Ilbo, have been the loudest critics of Naver's dominance online. With Naver rapidly outpacing them in profits [ko], they are struggling to compete both with Naver's technical advantage and its often low-brow but eye-catching news coverage. Long known for its obscure editorial policies, Naver has made efforts to increase its accountability and to prioritize users’ ability to choose from a diverse range of news sources online.

Nevertheless, for news organizations that have played an important role in shaping the nation’s political opinion throughout modern Korean history, these changes have been difficult to confront, particularly as their profits continue to decline.

Stealing Start-Up Ideas?

Naver has also been accused stealing business ideas from start-ups in Korea. This has provided ammunition against the corporation for media power houses such as The Chosun Ilbo, JoongAng Ilbo, The Dong-a Ilbo as well as Maeil Business Newspaper, who are seeking to make Naver not only the enemy of Korean news corporations but Internet and innovation communities in general. Some of these entities have taken this as an opportunity to promote [ko] their own interests, targeting and arguably disproportionately criticizing Naver's abuse of power.

Blogger Lee Jeong Hwan has commented [ko] that the mobilization of public opinion by major news corporations aims to shrink the influence of Naver in news industry, while at the same time pushing to establish pay-walls for their news content and enhance their profits:

A news business stakeholder said that pay-wall idea is spreading in Korean news contents industry. The major conservative news corporations throw out their verbal attacks on Naver because they assume that without eliminating the free news contents of Naver, their pay-wall strategy will struggle to succeed.

Although this prediction hasn't been confirmed by these news corporations, Yonhap News Agnecy, the Korea's largest news agency, recently laid out [ko] such a plan in an informal memo distributed to politicians and academics.

Regulatory Reform and Party Politicking

These shifts have also created opportunities for politicians. South Korea's current government has been keen on promoting both creative economy [ko] and economic democratization, stressing a “fair and win-win” relationship between big and small businesses intended to bolster both innovation and growth.

In this context, Saenuri [ko], the ruling conservative party, plans to propose several new bills intended to tame Naver. Last month's hearing was a first step in this process. By targeting Naver and making search portals subject to stronger regulatory power, conservative politicians may also gain greater control over Daum, South Korea's second-largest search portal, which has shown some bias in favor of the nation's political left.

In contrast, South Korea's democratic party [ko] has criticized these moves, suggesting that they are merely a political maneuver designed to regain conservative power over the media in the online realm. Although the party initially had a negative view [ko] of Naver’s monopolistic and non-transparent behavior, party representatives now say that current fair trade laws provide sufficient regulatory limitations for large corporations like Naver. Earlier this week, the democratic party held a public hearing aimed at “re-thinking” the benefits and drawbacks of search portal regulation.

In late July, after receiving harsh criticism from major newspapers and some politicians, Naver announced [ko] its plans to strengthen its social responsibility by increasing transparency and stakeholder benefits, and promoting Korean-made applications, webtoons, and games on the global market. Despite this announcement, political debate and tensions between the two parties persist and the economic regulatory challenges raised by Naver's unique model remain seriously entangled with the political agendas of politicians and businesses alike.

August142013

On August 7, Facebook was inaccessible in Cambodia for several hours, leaving media freedom groups suspicious of a ploy to restrict social media sites in the country. But Metfone, Cambodia’s most popular Internet service provider, claimed that a service upgrade operation caused the blockage.

With traditional media being mostly, and in the case of television exclusively, controlled by the government, an increasing number of Cambodians rely on websites such as Facebook to access independent information.

[...]

We, the undersigned civil society groups, call upon Metfone to fully explain the purported technical issues that forced Facebook to become unavailable, to take the appropriate measures to ensure that such outages do not occur in the future, and to clarify why they continue to block other sites such as KI Media.

KI Media is a website known for its criticism of Hun Sen, who has been Cambodia’s Prime Minister for the past 28 years. The site is blocked by various ISPs in Cambodia.

Keep Media Free. Image from Licadho

Minister of Information Khieu Kanharith denied that the government ordered the blocking of Facebook, stating that it would be “completely crazy” for the government to try to control the Internet. “We have nothing to gain by closing Facebook, and we have no criminal law regarding the internet,” he said.

Although many were quick to point fingers at regulators, the blockage may have been the result of a technical problem. Traceroute testing indicates that much of the Internet traffic Metfone users view is routed from Vietnam. If censors in Vietnam were to misconfigure their firewall, sites censored in Vietnam could easily become blocked in Cambodia too.

The incident nevertheless sparked a flurry of commentary from public figures and on social media. Popular Cambodian blogger and Global Voices author Kounila Keo noted how young Cambodian voters actively shared information on Facebook in the recent election:

Facebook was earlier a place where a lot of young Cambodians went to seek entertainment. But Cambodian Facebook users, mostly young people from 18 to 35 years old, have gradually embraced this social network to share and receive information not usually seen in the mainstream media which is considered censored.

Since 2010 when Facebook became popular in Cambodia, videos and pictures of protests, crimes, and violence have been widely shared and circulated to broaden people's political horizons. By 2013, Facebook has become a level playing field for political debates from all sides.

Even United States Ambassador William Todd recognized Facebook as a site where alternative information about Cambodia’s situation are freely discussed:

…social media played a crucial role in disseminating a broad range of opinions and information to the electorate. With access to the Internet, people were able to access a variety of news sources and information. So even when traditional media outlets in Cambodia failed to cover major events or issues, Cambodians were able to learn about them through social media.

Cambodia’s ruling party managed to win again in the recent National Assembly elections but it lost a significant number of seats to the Opposition. It has been accused of committing widespread fraud which undermined the voting process.

Although the blocking may have resulted from technical issues, suspicions of foul play on the government's part were grounded in recent experience. In 2011, Internet Service Providers restricted access to social media sites and platforms including Blogspot in response to requests from government authorities.

Collin Anderson provided research and analysis on technical aspects of this post.

July312013

With the aim of keeping Peruvian children safe, Congressman Omar Chehade has proposed a bill to protect minors from Internet pornography. But according to some experts, if the bill becomes law, it could end up restricting freedom of expression for all Internet users.

Legislators from the governing Peruvian Nationalist Party presented the bill last July 22. Its preamble states that it is the duty of the state to protect children and adolescents, and that they face potential risks in the use of new technologies that “threaten their sexual freedom.” (p.1) They note that given Internet use by minors for recreational purposes is on the rise, “it is necessary to establish a framework to protect them from cyberspace.” (p.7)

The most worrisome aspect is that the proposed law would create a Commission to Protect Minors from Pornographic Internet Content (COPROME), which would be charged with “choosing, in an impartial, transparent and reasonable manner, the content that would be blocked by Internet service providers.” (p.18) The commission would “permanently monitor the content circulating on the Internet in order to identify those sites or services that should not be propagated in cyberspace.” (p.19)

The bill explains that COPROME “would be able to filter content by Internet service providers in order to restrict minors’ access to pornographic content.”

For lawyer Erick Iriarte Ahón, the bill is clearly aimed at controlling content. On his blog he comments on the use of filters:

[The proposed law] would create a commission that would have to set up preventative filters to monitor content. And so the questions begin: How will these filters determine who is a minor? How will filtering prevent only pornographic content from reaching minors and not content that any user might want to access at any given time? Where does one draw the line between controlling pornographic content and controlling political, religious, labour union or other kinds of content? To create a “decency committee,” as has been tried in other countries, is going down the road to a 1984-style “Ministry of Truth.”

What's more, Iriarte finds it odd that the bill is being put forward against the backdrop of “accusations that the National Intelligence Directorate (#DINI) is monitoring the Web” and “the comments by Congressman Eguren that one should not govern listening to Twitter users.” He adds that:

It is a mistake to try and regulate this way…one has to look…at the attempt by the USA to create the Child Online Protection Act (COPA) where the American Civil Liberties Union (ACLU) were the ones who managed to get the law declared unconstitutional, a law questioned by civil society advocates who found that it weakened access to information and freedom of expression and that it was an instrument by which government could control Internet content.

Lawyer Miguel Morachimo also believes that the proposed law—as currently drafted—threatens freedom of expression and questions whether, by restricting minors’ access to adult content, it is necessary to set up mandatory preventative filters on all Internet content. After pointing out certain false premises contained in the bill, he posits a few inherent problems:

Imagine a group of seven public servants watching astounding amounts of pornography daily and deciding what content to prohibit. Within the first few hours they would probably end up censoring pages like Tumblr, Twitter or Flickr. These three sites host content for adults and, nevertheless, also function as communication and free speech tools for other purposes. What would our Censorship Committee do in those cases?

Morachimo goes on to suggest other possible alternatives to a content blocking system:

[T]he State [could] invite Internet service providers to look for better ways of promoting and selling parental controls…Operators could offer special wireless plans for minors, in the same way as they do in other countries. There are many ways of attacking the problem that do not involve infringing on the rights of the majority of users.

Given the recent date of the bill, which almost coincides with the end of the legislative term, there has been little debate on the matter, though on Twitter as on Facebook a few comments can already be found under the hashtag #leychehade. However, it remains to be seen whether, when Congress reconvenes, digital rights activists undertake activities to inform citizens and pressure members of Congress not to pass the bill.

July122013

In April, Nigerian news site Premium Timesrevealed government plans to purchase equipment that would allow it to conduct online surveillance on an unprecedented scale. The government reportedly had contracted with Israeli company Elbit Systems Ltd to advance the Internet and computer-based gathering of Nigerian citizens’ personal data.

In May, warning bells exposing the government’s interest in digital surveillance rang once more. Nigeria was among the 11 countries discovered by Citizen Lab, a University of Toronto research center, to have FinFisher surveillance software in its possession. Gamma International, the UK-based manufacturer of FinFisher, describes its products as offering “governmental IT intrusion and remote monitoring solutions.” FinFisher products can obtain passwords from your computer, monitor Skype calls, and even turn on your computer’s camera and sound recording so as to watch you at work.

As sourcing in the Premium Times’ initial report was thin, many wondered if the coverage had been exaggerated. But when Minister of Information Labaran Maku gave an interview to Channels Television, the seriousness of the issue became quite clear.

In the interview, the Minister admitted the Nigerian government was indeed planning to spy on her netizens. According to Mr. Maku:

… let me say that most countries in the world… monitor internet. There is no country in the world where communication is not monitored. There are issues of security involved, particularly in a country like Nigeria where we are having challenges of terror… Where terror uses technology to destroy lives…That does not mean assault on the rights of citizens…

The government’s position was not swallowed by Internet users. In this op-ed column in YNaija, an online Nigerian newspaper, Gbenga Sesan asserted:

While the act of surveillance, for the purpose of ensuring national security, might appear noble, it is important to explain how lazy governance is at play again, in what could take Nigeria many years back into the military era when surveillance became a tool of oppression by the State. How does a nation that has no Data Privacy laws or legal provision for interception seek to monitor communication?

Mr. Sesan went on to explain why the implications of these government plans are reprehensible:

Internet surveillance is not something that should be freely given to security agencies that still show signs of military-­era tactics. Indeed, many Nigerians are unlearning various things from that military era. Security agencies need to work, but lazy governance does not produce sustainable solutions. Nigeria must put appropriate laws, checks and balances in place first. That is the least any government owes the citizens whose rights it swore to protect.

The lower house of Nigeria’s parliament has since ordered the immediate suspension of the $40m contract, indicating that its secrecy may stand in violation of the Fiscal Responsibility Act of 2007. But whether the executive will heed their directive is a separate issue entirely.

An editorial for The Guardian (Nigeria) has called for a halt to the plan, citing the dangers it presents for citizens’ rights to privacy. The Nigerian government has offered the public no specific information on local, computer-based threats that might justify such a large investment.

Domestic security in Nigeria is regularly threatened by the operations of Boko Haram, a terrorist Islamist group operating in the north of the country and willing to use violence to further its aims. Boko Haram has claimed the lives of about 10,000 people since 2001, rendering the organisation Nigeria’s “number one merchants of destruction.” Given the physical presence of this threat, the need to instead pour money into high-technology tools for Internet and computer surveillance is mystifying for many Nigerians.

Parallels with the current United States debate on the NSA and Edward Snowden’s leaks are only too clear. If in the West the reach of government through technology is being called into question, is this really the best time for Nigeria to invest?

June172013

America’s controversial Stop Online Piracy Act is back—and it’s poised to become law in a matter of weeks. SOPA, however, isn’t coming to the United States, where a wide coalition of Internet companies, human rights organizations, and concerned citizens defeated the legislation with a massive protest campaign in January 2012. A law that creates similarly harsh penalties for online copyright violations is on the cusp of finding a home in Russia, where it is called “Bill № 292521-6 [ru]: Amendments to the Russian Federation’s Laws Protecting Intellectual Property Rights on Information-Telecommunications Networks.” The media, understandably, is just calling it “the Russian SOPA.”

The lower house of Russia’s parliament, the Duma, approved [ru] a first draft of the legislation today, June 14, 2013, with a vote of 257 to 3 (plus one abstention). This move by lawmakers comes despite unanimous opposition from Russia’s Internet companies, which have rushed this week to publish detailed reports on the legislation’s potentially catastrophic damage to the RuNet.

This image was created by Kevin Rothrock using Vladimir Putin's official portrait by the Russian Presidential Press and Information Office, 2006. (CC-BY 3.0)

Russian SOPA’s nuts and bolts

Indeed, Russia’s SOPA-clone contains a number of worrying clauses. The law’s regime for notifying Internet service providers of copyright abuses, for instance, is laughably inadequate. Copyright holders do not need to provide ISPs with the specific location of an infringement (not even a URL address), forcing Internet companies to conduct constant monitoring for possible misuses of (potentially) copyrighted materials.

The law also revises the conditions of limited liability, exposing ISPs and other Internet intermediaries to legal responsibility in situations where they exercise no control over the content in question. Russian search engine Yandex warns [ru]:

[The law] allows us to come to the absurd conclusion that, having been notified by the copyright holder of a potential violation occurring in the transmission of materials, the ISP, which performs the transmission, will be required somehow to stop the transfer of some specific material, which is technically impossible.

The Russian Association for Electronic Communications (RAEC), which participated in the Culture Ministry’s working group [ru] on the anti-piracy legislation, has also criticized [ru] the law’s lack of consideration for possible fair use of copyrighted materials. Additionally, the RAEC protests, the law creates circumstances wherein ISPs must take provisional measures before copyright holders have filed a formal claim with the courts. Many opponents of the Russian SOPA cite this aspect of the law as an example of extrajudicial censorship. The reality of the law’s provisions is more complicated.

According to the legislation, the Moscow City Court would serve as the court of first instance in all civil cases involving online copyright infringement. Copyright holders first appeal to the court with a complaint that their property is being misused online, attaching (1) proof that they own the materials in question, and (2) proof that someone else is using them. (The court is supposed to take no action, without these attachments.) The court then determines a deadline, not to exceed fifteen days, by which the plaintiff must file a formal statement of claim, which actually launches the legal suit.

In the two weeks between the initial appeal and the option to file a suit, however, the law empowers the Moscow Court to force ISPs to take “interim measures” to remove the content in question, or risk having their entire IP address blocked, if they fail to comply within three days. If the plaintiff fails to file suit after fifteen days, the court dismisses the case and lifts the order for interim measures.

The RAEC claims that there is nothing in the legislation to prevent copyright holders from appealing to the Moscow Court every two weeks, without ever filing a formal suit. In other words, determined plaintiffs could keep in force what are supposed to be interim measures, by using the law as a rotating door. The RAEC explains in its report [ru] on the legislation:

The copyright holder has the opportunity not to sue, but every fifteen days [it can] appeal for the application of new interim measures, and [the law] establishes no responsibility for such behavior.

However, there is a provision in the law that allows ISPs to sue for losses incurred when executing the interim measures, if the plaintiff fails to file a formal suit within the fifteen-day period, or if an arbitration court later rejects the copyright holder’s claim. The current legislation [ru] reads:

The organization or citizen, whose rights and (or) lawful interests are violated by ensuring the [plaintiff’s] property interests before the filing of a claim, has the right to demand their choice of indemnity for losses suffered […], if the plaintiff did not file a claim in the required time period […], or if a valid court decision by an arbitration court rejected [the plaintiff’s] claim.

Finally, the RAEC complains that the law creates a jurisdiction overlap with existing arbitration procedure code, and generates an inconvenient and inefficient legal bottleneck by forcing all parties, regardless of their location, to deal with a Moscow court.

Stakeholders propose changes

The new anti-piracy law also calls for blocking entire IP addresses, in the event of noncompliance with court-ordered interim measures. The push for blacklisting entire IPs is surprising, given the growing consensus that this method is more likely to damage legitimate websites than the Web’s copyright infringers, who can easily circumvent an IP blacklist by changing hosts, adopting dynamic IP addresses, and so on. While Internet service providers and industry experts have long criticized IP blocking (which came packaged in Russia’s legislation last year to blacklist online materials harmful to children), even Roskomnadzor—the government body responsible for administering that blacklist—recently acknowledged the inefficiency of IP blocking in a post [ru] on its new public outreach website, “WeCanTrust.net.”

The Duma’s Committee on Culture has also proposed a series of controversial amendments that could appear in the next iteration of the legislation. The Committee’s suggestions include an expansion of the law’s applicability to search engines; the creation of a new blacklist for all websites containing illegal materials; and applying the law not just to audiovisual content, but also to “books, articles, photographs, and other copyrighted objects.”

Yesterday, on June 13, 2013, Yandex sent [ru] the Duma its official list [ru] of comments and suggestions for revising the anti-piracy law, as the bill heads back to committee for more amendments, ahead of its second and third readings on the parliament floor, which could take place as early as next week [ru]. In a blog post [ru] that also sharply criticized the new legislation, Google Russia’s Director of Government Relations, Marina Zhunich, announced that Google, too, has shared with the Duma its recommendations for eliminating the most radical aspects of the draft legislation.

Both Google and Yandex are calling for amendments that would render the Russian SOPA more similar to the Digital Millennium Copyright Act, another American law, passed in 1998 by a unanimous vote in the United States Senate and signed into law by President Bill Clinton. Unlike the anti-piracy law that Russian legislators are now considering, the DMCA exempts from liability Internet service providers and other intermediaries under a regime in which copyright holders directly notify ISPs of infringement claims, without the application of automatic censorship or state-administered blacklists.

June142013

Last week's revelations about phone and Internet surveillance programs of the US government's National Security Agency (NSA) sent shock waves throughout the United States and the western media, but also around the globe. While in the US, many privacy-minded lawmakers and even digital rights advocates used the news as an opportunity to demand better protections for Americans’ online privacy, Internet users worldwide were left wondering how to protect their own data, short of closing their Google accounts, packing up their Facebook profiles and heading for the woods.

Documents leaked by Booze Allen employee and NSA contractor Edward Snowden have now confirmed that customer call data from telecommunications companies like Verizon and AT&T was being passed to the NSA through a system where accountability was scarce and secrecy ruled. Reports indicate that the agency applies a vague standard of “foreignness” when determining whether or not a person's communications would be subject to surveillance under the US Foreign Intelligence Surveillance Act (FISA) — users who spoke with individuals in other countries, for any reason from hatching terrorist plots to catching up with relatives — could come under watch.

Image by the Electronic Frontier Foundation. (CC BY-2.0)

The documents also revealed details about an Internet surveillance program known as PRISM, which allows the NSA and the Federal Bureau of Investigation (FBI) to obtain copious amounts of user and communication data from major Internet companies including Google, Facebook, and Microsoft. While many details of the program remain murky, the news has left international digital rights advocates reeling. Advocacy groups in the UK wrote an open letter to Prime Minister David Cameron, condemning US government surveillance of British citizens and demanding strong protections for digital privacy in the UK. An international coalition of advocates meanwhile is pushing the UN Human Rights Council to convene a special session to discuss the matter and develop recommendations for member states.

While some see the revelations as an opportunity to push for stronger laws at home, others fear that the US, ever-committed to “leading by example,” has set a new, very low standard for online privacy protections worldwide.

“The leaks reveal an abuse of any citizen's basic rights, no matter which country the citizen is in,” Wafa Ben Hassine, a Tunisian human rights advocate and ACLU member told Global Voices Advocacy. Ben Hassine pointed out that Tunisians are familiar with pervasive surveillance. “The Tunisian government in Ben Ali's era indulged in spying on the average citizen's digital communications for decades,” she said, arguing that this moment should be seen as an opportunity for policymakers to develop laws that would “enshrine the values of digital rights.”

Alberto Cerda, a human rights lawyer and international program director of Chilean digital rights group Derechos Digitales described how in Chile, the government has “done its homework” in this area. He explained that human rights, including the right to privacy, are well protected under Chilean law. But this, Cerda pointed out, doesn't even begin to solve the problem:

This proves that a local solution won't do, as the violation of fundamental rights has a global character. What good is it for me to be protected in Chile if it's actually the US government that's violating my rights?

His question has likely loomed large for many users since the news hit. Kasia Szymielewicz, director of Polish digital rights group Panoptykon, argued that the NSA's actions would violate the EU's data protection policies, which aim to provide stronger protections against private or corporate data collection than are afforded in the US. She told GVA:

Nobody expected that NSA and FBI have direct access to companies’ servers, which in practice means that data of Polish and European citizens can be used and abused without any legal safeguards. In the light of European data protection standards, even in the scope of law enforcement, this practice simply cannot be accepted.

Some advocates see the particulars of the PRISM program as a reason to promote Internet business at the national level. Anja Kovacs, director of the Internet Democracy project in Delhi, India, said that India's ISP association sees this as an opportunity to push for requiring multinational companies to establish servers in-country, a move that would give the Indian government greater jurisdiction and control over local users’ data and US government efforts to obtain it.

Kovacs said that the Association has correctly pointed to the “duplicity of US-based companies in denying access to information to the Indian government while making it freely available to the US government,” but cautioned that “the latter point is sometimes framed in highly nationalist terms [as] urging for solutions that would perhaps benefit the Indian state but not necessarily Indian users.” Many advocates in India argue that efforts establish servers in-country are mainly driven by government desires to achieve greater control over online speech.

Ben Hassine also commented on the need for establishing more companies outside the US.

The NSA leak should provide every country a lesson – including Tunisia – that the key to ensuring online privacy and digital rights is through the development of local platforms and content and making such tools available globally. Our reliance on US-based ‘big tech’ is an elemental part of the problem.

Advocates also speculated on how the NSA revelations might influence national-level policymaking on the issue of privacy itself. Carlos Afonso, an Internet governance expert and director of Brazilian Internet rights group Instituto Nupef, pointed to Brazil's Data Protection Law, which will be brought before Congress in the near future. Afonso urged that future debates on privacy be transparent and open to all parties affected:

[The data protection debate] needs to bring guarantees that data protection will be a policy/regulatory field where all the sectors of society are fully engaged, with spaces for the full participation of civil society.

Szymielewicz hoped that the news would trigger greater efforts to ensure data privacy within the European Union, and noted that the “PRISM affair” had already triggered a “serious debate” within EU institutions. But she also cautioned that the news could have precisely the opposite effect in many countries, including her native Poland:

There is a risk that Polish authorities and security agencies may want to follow the NSA and FBI and demand even broader access to our data for public security purposes, therefore lowering our standard of legal protection.

As new information continues to emerge around this story, lawmakers and digital rights advocates should consider the global implications of these programs and other pervasive digital surveillance efforts by governments around the world. In a digital era, where it is impossible to draw a line separating the communications of “citizens” or “residents” of a particular country and “foreigners”, governments must strive to develop policies that will not only fit this new paradigm, but truly protect the privacy and freedoms of users worldwide.

June052013

Presidential Palace, Hanoi. Photo by Paul Morse, released to public domain.

In March, Vietnamese political news blog Anh Ba Sam underwent a series of attacks that left its content compromised and its owners unable to access the blog’s back end. Attackers took over the site, replacing its articles with their own content and changing passwords for the site’s administrative sections.

When Anh Ba Sam’s owners contacted WordPress, the blog’s hosting service, in an effort to reclaim access to their site, the company asked the owners to verify their identities. But this wasn’t easy — the attackers changed security information on the site, leaving the owners temporarily unable to prove their claim. Although the has since been resolved, it raises critical questions about the role of blog hosting platforms and their responsibilities to provide adequate security measures for their clients.

‘The Gossiper’

Anh Ba Sam (ABS) has established a unique position in recent years as a consolidator of reportage on events and trends in Vietnam. The site features articles re-posted from the foreign press and original reporting from the ABS community, many members of which identify themselves as dissidents. ABS publishes news updates four times daily, and regularly posts political, economic and social analyses contributed by respected intellectuals and experts. Before the attack, the site was garnering roughly 100,000 hits daily.

In Vietnamese, “Anh” is a personal pronoun, use for an older, male person. “Ba Sàm” means “the Gossiper”. One site administrator explained to Global Voices Advocacy that readers developed a saying after the blog was founded: “Ba sàm thông tin chính thống, chính thống nói chuyện ba sàm,” or, “The Gossiper communicates official news, while the official media merely gossips.”

The attack

ABS was a high-value target for Vietnam's internal security agencies, though there is no hard evidence that government actors were involved in the attack. On March 8, hackers took control of ABS, locking out its true owners and deleting all of its content. On March 13, hackers (presumably the same person or group as before) posted on the site a lewd and defamatory ‘exposé’ of ABS managing editor Dinh Ngoc Thu, derived from materials she suspects hackers looted from her own computer.

Thu sent urgent requests to WordPress customer assistance staff, asking that control of the site be restored to her and her colleagues. Their response was that Thu must first prove that she was the true owner of the site, but this was impossible — all identifying data, correspondence with WordPress, billing records, and other evidence of ownership had been stored on subdirectories of the site and was either deleted or no longer accessible by the ABS team.

Could WordPress help?

Contacts of Thu’s brought the issue to the attention of the general counsel of Automattic, WordPress.com's parent company. WordPress customer assistance staff then became more cooperative and control of the blog was restored to the ABS staff. Yet it required substantial effort to persuade WordPress to remove various sub-blogs and other booby traps hidden within the ABS site by the hackers. Had the ABS team not been able to connect with influential staff at WordPress and Automattic, they may have spent far longer working to regain access to their site.

Not long after this, WordPress.com deployed a two-step authentication procedure for all its clients’ use. There’s no way to know for sure, but some believe that the ABS incident catalyzed this change.

ABS has been up and running again, with tighter security and a new URL, since late March 2013. Average daily hits have climbed back to 73,000. ABS staff are hoping to soon move the blog to a new and inherently more secure server soon.

Increasing security for vulnerable blogs

ABS administrators and Global Voices Advocacy urge WordPress to adopt a policy of proactive, preemptive assistance for blog administrators facing challenges similar to those of ABS. We believe that WordPress should take responsibility to the fullest extent possible for ensuring that their clients’ sites aren’t hacked (for example by strongly recommending 2-factor authentication and being more aggressive about helping to ensure that all WP scripts and plugins being used by blog administrator are up-to-date).

The company could could consider developing a mechanism that enables their clients to recover control of a hacked account. As was the case with ABS, suppose a person claiming to be the site owner urgently requests help regaining control of the site. WordPress staff very possibly won’t be fluent in the language used on the site. How can they tell who is the bona fide owner? A recent, sudden and radical change in the pattern of administrative access to the site should be prima facie evidence that a highjacking has taken place. At that point, WordPress could deny administrative access to the site by any party pending a sorting out of claims.

WordPress should take pride in its unique role as an enabler of free political speech around the world. To this end, we believe the company should provide interactive security counseling to the many alternative and dissenting bloggers it hosts. Such a commitment would strengthen the public image of both WordPress and Automattic, and provide an invaluable service to its community.

May232013

The Pakistani human rights organisation Bytes for All is challenging the use of invasive surveillance software by the government of Pakistan. FinFisher, produced by Gamma International, a UK-based company named by Reporters Without Borders as one of five “corporate enemies of the internet” and “digital era mercenaries,” is notorious for its advanced spying and surveillance capabilities which are used to target human rights movements all over the world. For example, Egyptian protesters in March 2011 found documents pointing to the use of FinFisher by the Egyptian security services under Hosni Mubarak and in July 2012 Bloomberg reported on the targeting of Bahraini activists with the software.

Campaign poster from Bytes for All, Pakistan

FinFisher software is installed remotely through seemingly innocent software updates of regular programs such as iTunes or Firefox, or code embedded in an e-mail. The software cannot be detected by virus-scanners and works on all common mobile devices. Once installed, it allows the user to access all stored information and monitor even encrypted communication. Keystrokes can be logged, Skype conversations recorded and cameras and microphones can be activated remotely.

The problem with software like FinFisher is that it is “dual-use”: it can be used for legitimate purposes by government agencies to monitor criminals, but as researchers at Citizen Lab found, it is often sold to countries where the exercise of legitimate rights such as the right to free expression is considered criminal activity. Among the 36 countries listed by Citizen Lab that use or have used FinFisher many have a well-documented record of human rights violations, such as Bahrain, Bangladesh, Brunei, Ethiopia, Qatar, Turkmenistan, the United Arab Emirates and Vietnam.

That list also includes Pakistan. Concerned with this violation of Pakistani citizens’ right to privacy , Bytes for All has filed a petition in the High Court of Lahore, seeking a response from the government of Pakistan to the following questions: (1) Why was FinFisher deployed in Pakistan and (2) Who authorised its deployment? Moreover, Bytes for All requested the Court to order the government to immediately halt all FinFisher activities, based on the grounds that its use clearly violates the fundamental rights of the people of Pakistan.

This is a pioneering legal bid. Previous action has been taken against FinFisher: the UK-based NGO Privacy International recently filed a request for judicial review of UK customs agency’s refusal to release information about the potential illegal export of FinFisher to countries with a record of human rights abuses. A complaint against Gamma International was also filed with the OECD for the use of FinFisher software in Bahrain, and Mozilla has taken steps to stop it from infringing upon its brand by letting the software pose as legitimate Firefox products. Challenging a government’s use of spying software, however, is relatively uncharted territory and could set an important precedent. On May 8, 2013, the High Court ordered the Pakistan Telecommunications Authority to carry out a full investigation into the FinFisher allegations and present its findings before the Court on June 24, 2013. This will be a case to watch.

Nani Jansen is Senior Legal Counsel with the Media Legal Defence Initiative (MLDI). MLDI is working with its partners around the world to challenge internet censorship and surveillance. Bytes for All and MLDI are currently challenging the blocking of YouTube and other websites in Pakistan.

April242013

In 2011, two separate lawsuits were filed against Cisco Systems alleging that its technology enabled the government of China to monitor, capture, and kill Chinese citizens for their views and beliefs.

The first case involved practitioners of Falun Gong, a religion that is popularly known for its use of qigong exercises and has an estimated two million or more members in China. The suit was filed on behalf of Charles Lee, Guifu Liu, Ivy He, and several anonymous plaintiffs and accuses Cisco of marketing its technology to construct the Golden Shield, or what is popularly called the Great Firewall of China, while knowing that its products would be used to target dissidents. At least 2,000 members of the Falun Gong have been killed by the government of China, according to The New York Times, and many more have been tortured or harassed.

The second case (the Writers case) involved a group of internet writers and activists who were similarly targeted by censors of the Great Firewall. Du Daobin, Zhou Yuanzhi, Liu Xianbin, and anonymous co-plaintiffs claim to have been harassed, arrested, and tortured because of their online writings.

To what extent are these human rights violations attributable to technology provided by Cisco? The complaint in the Writers case states that Cisco began marketing its products to the Chinese government in 2002 when the Great Firewall was still in its infancy. The available evidence is especially compelling in the Falun Gong case. It includes a leaked Cisco marketing team PowerPoint slide explaining that its systems could be used to “Combat ‘Falun Gong’ evil religion and other hostiles.” Other documents reveal that Cisco may have customized its products to specifically monitor groups like the Falun Gong, and were so significant that the plaintiffs in the Falun Gong case amended their complaint in March 2012. (For an excellent backgrounder from 2011, read Jillian York's piece for EFF here.)

The plaintiffs in both cases sued under a variety of laws including the Alien Tort Statute (ATS), a crucial 200 year-old law that has been successfully used to hold human rights violators accountable in US courts.

The ATS was used in several law suits in Nigeria involving a group of writers and activists who were jailed, tortured, or executed by the military regime in the mid-1990s for peacefully protesting the destruction of Niger Delta wetlands by Royal Dutch Shell and other international oil conglomerates. The claimants in these cases sued Shell, arguing that the company had aided and abetted the Nigerian government and violated international law.

When the Supreme Court agreed to revisit the ATS in Kiobel v. Shell—the latest of the string of Nigeria cases utilizing the Alien Tort Statute—both Cisco cases were put on hold in October 2011 because their outcome would be affected by the top court's ruling. Human rights activists feared the worst from the conservative court, and they were right to be afraid. In its decision, the court significantly narrowed the scope of the ATS by citing a principle called the “presumption against extraterritoriality”, a legal term of art that means that laws should be interpreted as only applying within the U.S. unless clearly stated otherwise. (Click here for an in-depth explanation of Kiobel at PEN.org.)

Falun Dafa practitioners. Photo by longtrekhome. (CC BY 2.0)

The Supreme Court judges issued three separate concurring opinions in Kiobel, which do not have the force of law. These suggest that if there is a significant enough American interest, then a federal court could properly hear an ATS case. Cisco is headquartered in the U.S. and was selling its products abroad, so this seems like a significant interest for Americans. The victims, however, were Chinese nationals, although some of them now reside in the US. It is therefore unclear whether the plaintiffs would overcome the burden to show that Cisco's actions affected an American interest.

Even if US federal courts hold that the Alien Tort Statute does not apply to the Cisco cases, the plaintiffs in each suit also filed claims alleging violations of state law (in California and Maryland, respectively) and the 1986 Electronic Communications Privacy Act (ECPA), which governs the ability of companies to disclose private user data to government and law enforcement officials. On the surface, these claims are not nearly as strong as an ATS claim before Kiobel. In 2009, a judge in a California federal court held in Zheng v. Yahoo! that the ECPA does not apply abroad, even when information that is disclosed abroad passes through computer servers on American soil.

Before Kiobel, there was no guarantee that human rights victims could win an ATS case on the merits in federal court, and the cases often resulted in settlement. But we have now come to the point when critical human rights cases may not even be argued in U.S. courts at all. This is a terrible loss for human rights, and even a loss for corporations. Litigating the Cisco cases in open court would provide a vital human rights record for the global community about how tech firms operate.

There is another formidable hurdle: the legal team that defended Royal Dutch Shell in Kiobel, led by the former dean of Stanford Law School Kathleen Sullivan, is also defending Cisco.

Human rights are good for business. A 2012 open letter from a group of socially responsible investors representing over $548 billion in investments explicitly stated [PDF] that human rights can and should be protected by businesses. This goal was reinforced by the UN's Guiding Principles on Business and Human Rights, which require companies to actively protect human rights, respect them, and provide remedies to victims of human rights abuses that result from actions by companies. Unfortunately, the facts in Kiobel and Cisco suggest that we are not there yet, and we need the courts to show us the way to go. In this sense, the Supreme Court has provided no real guidance.

April222013

Hong Kong-based citizen media platform inmediahk.net [zh] was hit by a DDoS attack last week, coming mainly from China. On April 19 at approximately 4pm, the website was taken offline by Rackspace, the website's cloud host, due to malicious traffic. Inmedia, a volunteer citizen media network, has been blocked in mainland China since 2007. Inmedia members believe that recent coverage of controversial issues, including a dock workers’ strike in Hong Kong and the construction of a military pier in the city's center, may have triggered the attack.

DDoS Attacks from China

Administrators explained that the attack resulted in heavy packet loss caused by a deluge of automated data requests that left the site's servers overloaded. A further explanation from Rackspace to inmediahk.net said the DDoS attacks came mainly from China:

The attack was specifically targeting the domain name www.inmediahk.net. When we changed IP's in DNS, the attack followed. As far as the source IP's, it was a large group of addresses from various different countries, mostly from China, which is typical of a DDOS from a botnet of compromised hosts. The attack switched from a SYN flood to a TCP fragmentation attack after we enabled a measure which provides for SYN flood protection at the expense of site performance.

In order to restore the website, inmediahk.net has begun using Cloud Flare, a DDoS mitigation service, to pre-filter malicious traffic coming from sources such as a botnetzombie [a computer with a DDoS attack program] and web spammers [computer bots that send spam or post spam-like comments] before they reach the site's system. In 24 hours, Cloud Flare recorded 608 unique threats to the site. A threat control report confirmed that while the attacks are coming from different countries, nearly half of the attackers are from China, including Hong Kong.

Baidu Reported as Webspammer

The report also showed a large number of IP addresses (between 180.76.5.0-180.76.5.212) that registered as web spammers. According to Domain Tools’ IP information, this set of IPs comes from Baidu, China's largest search engine, which is listed on the US stock market.

Screen Capture from the threat report

Because inmediahk.net is blocked in China, all visits from China must come through a VPN (Virtual Private Network) or a proxy server — visitors’ IP addresses thus appear to come from overseas rather than from mainland China. In fact, Baidu's search engine does not show any results linking to inmediahk.net. When one searches the headline of a recent inmediahk.net article “香港獨立媒體網被中國黑客攻擊” [Hong Kong Independent Media's Website Attacked by Hackers from China], Baidu offers no result leading to inmediahk.net [zh]; an identical search on Google brings up inmediahk.net's article as the top result [zh].

Global Voices Advocacy asked Baidu for comment on the attack, but the company had not yet replied as of publication time.

According to inmediahk.net's report about the hacking incident [zh], the website has been paralyzed by hackers in the past. Despite having shifted to a cloud hosting service in 2010, it has continued to suffer from occasional DDoS attacks around sensitive periods, such as the annual June 4 Candlelight Vigil to commemorate the 1989 protests at Tienanmen Square. These have typically resulted in a rapid increase in computational cycles that slow down the website. But the scale of the recent attack is much greater than previous ones.

Controversial content

Members of inmediahk.net believe the attack was triggered by recent content on the site. Over the past two weeks, the network has been covering an ongoing strike by dock workers for Hong Kong International Terminals (HIT), the company that runs Hong Kong's docks and is owned by local business tycoon Li Ka-Shing. Articles on the site expose how workers have been exploited through HIT's subcontracting system — subcontracted workers currently earn lower wages than they did in 1995. Another polemical series focuses on the construction of the People's Liberation Army (PLA) Navy Pier [zh] at Central, the city center of Hong Kong. It accuses the Hong Kong government of violating city planning protocols in the construction of PLA pier and criticizes authorities for converting a large piece of city land from a public recreational space into one for military use.

Global Voices Advocacy will continue to cover this story as it unfolds.

April212013

In March, Global Voices Advocacy reported on Chilean Twitter user Rodrigo Ferrari, who was facing prosecution for operating a Twitter account that parodied millionaire Andrónico Luksic. We have good news about the case: the claim was dismissed by a court in Santiago, the nation's capital. However, the decision is not final and may be reviewed by the Court of Appeals.

Photo by Rhinman. (CC By 2.0)

In this small victory for online freedom of expression in Chile, where presidential elections will soon take place, the court established that the facts presented showed no evidence of “usurpation of identity,” as Luksic had claimed.

The accusation was a direct threat to freedom of expression in Chile, revealing the special bias of the Office of the Prosecutor when the affected interests are those of powerful citizens. A real democracy is one that protects the rights and safeguards of the common citizen, particularly in cases like this one. In that sense, we welcome the ruling of the court.

The resolution of the Court is a good sign, particularly given upcoming presidential elections, a time when citizens of Chile must be free to express their opinions and disagreements on social networks.

April122013

Smoking cannabis is dangerous business for people the world over. In Russia, just writing about it online is apparently enough to run afoul of federal anti-drug police, as that nation’s Wikipedians learned last Friday, April 5, 2013. It was then that state officials first informed Wikimedia Russia, the Wikimedia Foundation’s local chapter, that the government has placed its “Cannabis Smoking” article [ru] on its blacklist of illegal websites.

Troubles multiplied for the “Free Encyclopedia” when Vladimir Pikov, spokesman for Roskomnadzor (the agency charged with managing the blacklist), went on national radio [ru] and revealed that 15 different Wikipedia articles are now among the URLs banned in Russia. “[Wikipedia] has been on the list for a long time,” Pikov later told [ru] Interfax.ru, adding, “Why people are suddenly realizing this now, I don’t know.”

Responsibility for the confusion seems to lie with the government, yet it turns out that officials neglected to inform Wikimedia Russia about any of its blacklisting decisions until last week. (Pikov says Roskomnadzor was unable to reach Wikipedia’s nonvolunteer administrators.) Only aggravating the mess, the documents ultimately transmitted to Wikimedia are full of chronological holes. According to the actual [ru] “united registry” directory, for instance, the “Cannabis” article landed on the blacklist back in mid-December 2012. The paperwork [ru] sent on April 5, however, reports that anti-drug police came to their decision on March 26, 2013.

As it turns out, since last year there have been at least seven redundant decisions by state regulators and police to add Wikipedia’s “Cannabis” article to the RuNet blacklist. In a blog post [ru] published April 8, Wikimedia Russia revealed that a total of ten Wikipedia articles (not fifteen, as Pikov told RSN radio) are technically banned in Russia as of this moment. These encyclopedia entries relate to narcotics (cannabis smoking, LSD, etc.) and suicide (self-immolation, “suicide methods,” and so on), include both Russian and English articles, and were selected by officials from three different agencies: Roskomnadzor, FSKN (the anti-drugs police), and Rospotrebnadzor (consumer rights regulators).

Russian Wikipedia’s Twitter account announced [ru] the discovery with a nod to fellow prey of the federal blacklist:

Well at last it’s finally happened: they’ve put us on the blacklist (twice?) for the article “Smoking Cannabis.” Hello to @ru_pirateparty and @lurkmore_ru.

Since the news broke last Friday, Russian Wikipedians have been feverishly revising and refining [ru] the “Cannabis” article, though not with any express aim to reconcile its content with Russia’s Internet censorship laws. The “Cannabis” article is almost six years old (first created in December 2006), and it has endured more than five hundred edits in that lifespan. Indeed, the latest wave of revisions addresses Wikipedia’s own quite stringent standards of objectivity and citation. On several Wikipedia discussionboards [ru], editors voiced their opinions about Russian officials’ decisions to ban several of their articles. While some users expressed concerns that the articles in question are poorly written, commenters are unsurprisingly and overwhelmingly opposed to deleting or altering the site’s material to accommodate the RuNet blacklist.

Let them close it. It could be funny, such a classic advertisement for one article.

This, of course, was a reference to the Streisand Effect, “the phenomenon whereby an attempt to hide or remove a piece of information has the unintended consequence of publicizing the information more widely.” The Effect operated in force over the weekend, propelling Russian Wikipedia’s “Cannabis” article to roughly 13,000% its normal traffic, jumping from 431 views on Thursday, April 4, to over 56,000 views the next day. In the past week, the “Cannabis” article has attracted over 125 thousand views, fewer only than the site’s entries for Odnoklassniki (a RuNet social network) and Margaret Thatcher (who died on April 8).

Even the name of the article, “Cannabis Smoking,” might subject it to the [blacklist’s] formula, since it makes it illegal even to mention the means of drug use. [...] It’s the same for suicide: the phrases “Yesenin hanged himself,” “Mayakovsky shot himself,” and “Romeo and Juliet poisoned themselves” are also excuses to block the site, since they all concern means of committing suicide.

Earlier today, April 9, Wikipedia founder Jimmy Wales responded [ru] to Ain92, a Russia-based Wikipedian, who notified Wales on his user page that “two articles of English Wikipedia is forbidden (blacklisted) by Roskomnadzor [sic].” Wales’ answer was unambiguously defiant:

For me, being blocked is always preferable to collaborating with censors. It's important to understand that the fear of site-wide blocking is based in concerns that some (smaller, presumably) ISPs may lack sufficient technical resources to block individual pages, forcing them to block the entire site to comply with the law. Believe me, if those ISPs block the entire site, while other ISPs only block specific pages, the ones which block all of Wikipedia will lose customers very very quickly. We are not weak, we are very powerful. Catering to the demands of weak and cowardly politicians – the kind who fear the spread of knowledge – is not the Wikipedia way.

Wales, though, will not be the one to decide how Wikipedia’s drug- and suicide-related content develops in response to the Russian authorities. That honor lies with Wikipedia’s volunteer editors, who were responsible for the articles in the first place. That said, all indications are that neither Russia’s officials nor her Wikipedians are likely to budge. That means “Cannabis Smoking” and its subversive neighbors are probably on the RuNet blacklist to stay.

April062013

Acclaimed US technology writer Steven Levy starts his long-form history of Facebook's newest product—Graph Search—by describing it as a feature that “promises to transform its user experience, threaten its competitors, and torment privacy activists.” Though it takes quite a lot to torment us these days, Graph Search does raise a few eyebrows.

The new feature allows users to structure searches that can filter through friends, friends of friends, and the general public. Now one can more easily search for “My friends who like Global Voices” or “People who like Human Rights Watch.” Facebook then returns a list of individuals whose public or shared aspects of their profile match the search terms.

This image has been released to the public domain.

All of a sudden, what people once thought was shared only with their Facebook audience—whether friends, friends of friends, or member of the public with a specific reason to look you up—is now readily available via Graph Search.

There's nothing inherently wrong with being able to look at information that is either public or that users have chosen to share. But there's a difference between posting information for anyone to find and posting information to be searched and sorted. Graph Search allows strangers — anyone from casual acquaintances to government actors — to discover information about you that you may not have intended them to find.

There's a difference between posting information for anyone to find and posting information to be searched and sorted. If you walk down a crowded public street, you are probably seen by dozens of people—but it would still feel creepy for anyone to be able to look up a list of every road you've walked down. This is why Google Street View, for example, obscures the identity of people photographed on public streets, even though the information was not private or secret.

Facebook's Graph Search presents the problem of “discoverability.” One can have a good balance of privacy and openness if information is available, but not easily discoverable. Consider a blogger who writes political criticism. She might not mind if her followers were to search her Facebook “likes,” but she probably wouldn't want a government person to do the same thing. This feature has rolled everyone, by default, into a dating service, a marketing database, and a trove of valuable easily searchable by government actors and other individuals with unfriendly motives.

Your privacy…in the hands of “Friends”

By adjusting your privacy settings, you can help prevent your information from appearing in searches run by strangers and protect your friends from showing up in results. But even when you've set all your settings to “Friends” only, you can still appear in strangers’ search results.

Some unwanted search results are through your associations with—and are therefore solely controlled by—your friends and family. This violates the principle of control of the Bill of Privacy Rights for social network users. EFF urges Facebook to fix the problem by letting people opt out.

These Graph Search results provide, as security expert Bruce Schneier has labeled them, “incidental data”—data about or associated with you that other people post. The issue lies in the fact that the people who show up in such search results have no setting that will allow them to control when these data appear. As Facebook explained in a recent blog post, “You control who can see your friend lists, [but] your friends control who can see their friend lists.”

Facebook's answer to this dilemma is for you to take it up with your friends. On Facebook's Graph Search privacy FAQ, it says, “If you're concerned about people searching for info about your friends, you can ask your friends to limit who can see their friends list as well.”

This is not a solution. First, you have no way of knowing your friends’ settings—whether they publicly share their Likes, Friend lists, or any other of the myriad pieces of information on a Facebook profile. Second, you have no easy way of dissociating with your friends and relationships. No way, that is, except to unfriend them, and that hardly seems like a solution to this problem.

Tom Scott's Falun Gong example is a good hypothetical. If you and your family live in China, and sister appears on your “Relationships” list. You have the ability to make that relationship status as private as you'd like (e.g., visible only to friends); however, your sister could make it visible to the public. You may never know that sometime down the line she decides to publicly “like” Falun Gong—and never have the opportunity to “ask your friends to limit who can see their friends list.” The first notice that your friends’ setting are too public should not be a knock on the door by the secret police.

This is a fundamental privacy issue. Before Graph Search, it was impractical and time-consuming to look through profile after profile to find the people who meet certain criteria—even if the information were set to public. If you tried to automate the search, you would run afoul of Facebook's anti-scraping defenses. Now that the search functionality is so easy, there is nothing you alone can do to stop it.

So how do you fix this problem? The obvious solution is to allow users to opt out of Graph Search results. There is no way of knowing what search queries lead to you as a result, and working to ensure that each of your friends uses the same privacy settings you do can quickly become futile.

Perhaps Facebook should also let you choose whose search results you show up in. Already you have fine control over individual pieces of information about you—your phone number could be visible to only your friends, but your listed websites could be made public. Why not extend this control to search results? Facebook's privacy settings already has a “Who can look me up?” section. Unfortunately the offered settings don't quite answer this question the way you think they might.

As Facebook's Graph Search develops, it will be a wake-up call, encouraging people to examine—and rein in—their privacy settings. On Facebook, things are more available by default than people may think. But even beyond specifically public settings, actions and photos that were once hard to find after some time had passed, are now more easily discoverable by strangers with loose ties. This may force us to reassess what we actually think is private and what is not.

This post combines content from twoposts published on Deeplinks, blog of the Electronic Frontier Foundation.

April012013

Saudi Arabia, an Enemy of the Internet as defined by Reporters Without Borders, is threatening to block a number of popular communication tools, such as Skype and mobile messaging service WhatsApp, unless the operating companies agree to infringe on the privacy of users and monitor them.

According to Brian Whitaker, who blogs at Al-bab, the Saudi authorities:

are threatening to block popular communication services such as Skype, WhatsApp and Viber unless the operating companies agree to monitoring of messages and calls.

Al-Arabiya reports that the Saudi Communications and Information Technology Commission (CITC) has given companies until the end of this week to respond.

If the companies do not comply with the Saudi request, the commission may take action and block these services.

Saudi Arabia appears on Reporters Without Borders’ “Enemies of the Internet” list.

Whitaker adds:

Al-Arabiya reports:

“In case they say it is impossible to monitor the applications, the commission said it will consider procedures to block them altogether in the kingdom.”

The Jeddah-based Arab News says the authorities are concerned because the applications use encrypted connections:

“According to two informed sources who work at local telecommunication companies, this issue has been at the top of the agenda of discussions during meetings between heads of telecom companies and the CITC over the past 20 days. The meetings have finally concluded with the CITC demanding that it be allowed to monitor the encrypted applications.”

Predictably, the authorities justify their demand for monitoring on the grounds that it will help prevent crime and terrorism. But, as Ahram Online points out, conservatives in the kingdom are worried about the growth of internet-based social networks which are outside their control and which “have enlarged the severely restricted scale of freedom of expression”.

Whitaker reminds us:

The question now is whether the companies concerned will agree to the CITC's demands. There was a similar issue three years ago when the CITC threatened to shut down the BlackBerry Messenger service unless it was given access to codes that would allow monitoring of messages.

The matter was later resolved, though it is not clear how. The CITC said it was dropping the ban after Research in Motion, the Canadian company behind BlackBerry, met “part” of its regulatory requirements. Some reports suggested the company had caved in and agreed to put a BlackBerry server in the country so that the Saudis could directly access customer data.

On Riyadh Bureau, Ahmed Al Omran reports that Saudi Arabia's grand mufti Abdulaziz Al Sheikh has described Twitter as a place where youth waste their time and as a “gathering place for every clown and corrupter who post tweets that are illegitimate, false and wrong.”

Al Omran adds:

The Grand Mufti has become increasingly critical of Twitter users recently. In January 2012 he said the social network “has become a platform for trading accusations and for promoting lies used by some just for the sake of fame.” Then in October he called people who use the site “fools” and accused them of lacking modesty and faith.

He also offers statistics on Twitter users in Saudi Arabia, saying:

Twitter has become a major platform for Saudi to exchange ideas and debate political issues in the country. A recent survey said 51% of internet users in Saudi Arabia are active Twitter users, putting it in first place worldwide. A Saudi official admitted last month that the government is struggling to monitor and censor the site due to the huge volume of messages posted by users inside the country.

As Saudis make their voices heard online, thanks to the wide reach of social media, Saudi authorities seem to be working even harder at muzzling their voices.

March272013

Every day, when a person sends a Tweet, posts a photo to Flickr, or updates her Facebook page, she is making decisions about which companies to entrust with her thoughts, photos, contacts, identity and location data. In order to make informed decisions, users—especially those at risk of government repression—need to know if governments are asking companies for information about their online activities and what kinds of information the companies are handing over in response to these requests.

Earlier this year, Lebanese security researcher Nadim Kobeissi led a coalition of digital rights advocates, including GVA, in calling on Microsoft to report on government requests for Skype user data (Microsoft is the parent company for Skype). In an open letter to the company, the coalition pointed out that with 600 million users worldwide, Skype is effectively one of the world’s largest communication service providers.

Infographic of recent Google transparency report data, created by EFF and SHARE Defense. (CC BY 3.0)

Many users rely on Skype for secure and private communications and for some—whether they’re activists working in repressive environments or journalists communicating with sensitive sources—the stakes are high.

As a community, we're pleased that Microsoft has not only answered that letter on behalf of Skype, but has done so on behalf of the entire company. Last week Microsoft released its first transparency report, which covers all requests for user data from law enforcement and judicial authorities received in 2012. The report covers all of their online and cloud services, including Hotmail/Outlook.com, SkyDrive, Microsoft Account, and Messenger. Skype data gets it own separate report this year, because different laws apply. As the company notes, Microsoft is based in the United States, but Skype is a “ wholly-owned, but independent division of Microsoft, headquartered in and operating pursuant to Luxembourg [and EU] law.”

The report includes information about requests that the company fulfilled for both Skype and its other products. For non-Skype products, it also reports the number of requests that resulted in the disclosure of user data. This is a great step forward, since it gives more information about what user information is being sought and how often it is being turned over.

Australia, Brazil, France, Germany, Hong Kong, Italy, Mexico, Spain, Taiwan, Turkey, the UK and the US made the most requests for Microsoft user data in 2012 (including Skype and other products/services listed above). How does Microsoft determine the list of countries for which it will accept government requests for user data?

Microsoft maintains operations and a physical presence in more than 100 countries around the world, which makes it easier for law enforcement authorities and/or courts to contact local Microsoft offices with requests for customer data. However, we only disclose data in 46 countries where we have the ability to validate the lawfulness of the request.

Even when restricted to 46 countries, the quantity of requests is surprising. In 2012, Microsoft and Skype received a total of 75,378 requests from law enforcement agencies, potentially impacting 137,424 accounts. For comparison, in the same period Google received 42,327 requests. One possible explanation is that, especially when combined with Skype, Microsoft serves a significantly larger number of users than Google. More user accounts may translate into more requests for user data. Microsoft has also had an international presence for much longer than Google.

Other highlights include generalized information about the number of National Security Letters (NSLs) that Microsoft has received, going back to 2009, as well as generalized information about the total number of accounts that may have been affected by those requests. These letters — which are issued to communications service providers such as phone companies and ISPs and are authorized by US law (18 U.S.C. 2709) — allow the FBI to secretly demand data about ordinary American citizens’ private communications and Internet activity without any prior judicial review. To make matters worse, recipients of NSLs are subject to gag orders that forbid them from ever revealing the letters’ existence to anyone. EFF just successfully argued that the NSL gag orders are unconstitutional, but that court order is on hold pending an appeal by the government.

Until recently, none of the companies that issue transparency reports included statistics on NSLs. But a few weeks ago, Google published these figures for the first time as part of their transparency report, shining some limited light on the ways in which the US government uses these secretive demands for data about users. We are happy to see Microsoft follow suit. Because the numbers are so generalized (Microsoft received 1,000-1,999 NSLs in 2011, affecting 3,000-3,999 accounts), it is difficult to make comparison with Google, but speaking broadly, the Microsoft appears to receive more NSLs than Google.

What’s even more interesting is the claim regarding Skype that out of 4,713 requests for user data that potentially affect 15,409 accounts, the number of requests resulting in the disclosure of user content is zero. The Skype report does not specify how often the company complied with government requests for transactional data, (this might include a user’s name, billing address, or IP history, but not the content of his or her communications) noting that Skype did not keep this information for 2012. We expect that this will be clarified in future reports. But for users who expressed concern that Microsoft might be turning over their Skype conversations and messages in response to a warrant, these figures may appear reassuring.

The Skype report goes one step further and offers the following clarification regarding its obligations under the Communications Assistance for Law Enforcement Act (CALEA), a US law that forces broadband Internet and interconnected voice over Internet Protocol (VoIP) services to become wiretap-friendly:

The U.S. law, Communications Assistance for Law Enforcement Act, does not apply to any of Microsoft’s services, including Skype, as Microsoft is not a telecommunications carrier. Skype is an independent division headquartered and operating under Luxembourg law.

Does this mean that Skype is safe and secure for users who are concerned about the possibility of government surveillance? Not necessarily. Microsoft offers this important caveat:

While we may not receive law enforcement requests from some countries, or may not honor requests that do not follow our principles and policies, we nevertheless understand some users of our services may be subject to government monitoring or the suppression of ideas and speech. We provide SSL encryption for Microsoft services and Skype-Skype calls on our full client (for full function computers) are encrypted on a peer-to-peer basis; however, no communication method is 100% secure. For example Skype Out/In calls route through the existing telecommunications network for part of the call and users of the Skype thin client (used on smartphones, tablets and other hand-held devices) route communications over a wireless or mobile provider network. In addition, the end points of a communication are vulnerable to access by third parties such as criminals or governments.

Skype's 2005 external security audit indicated that “digital certificates created by the [central Skype] certificate authority are the basis for identity in Skype” and that, if falsified, these certificates could allow interception of Skype users’ communications (see section 3.4.1). Microsoft's Skype division still controls and operates this authority. A troubling question about the report's definition of “Disclosure of Content” is whether falsified certificates or disclosure of cryptographic secrets—which are perhaps not themselves seen as user content, but can be directly used by an outside party to intercept it—counts as “Disclosure of Content” or not. Observers including security expert Chris Soghoian worried that “leakage of crypto keys would…not be considered release of content” by the report, even though they result in content getting intercepted. It's important for Microsoft to clarify this point to make the information reported about Skype meaningful.

None of this should take away from the big credit that Microsoft deserves for publishing this report in the first place or for including as much information as it did. By joining the ranks of companies that issue transparency reports, Microsoft has cleared up some of the confusion about the risks users are taking when they use Microsoft products, and added to our body of knowledge about the scope of government surveillance. We hope that 2013 is the year that transparency reports become the new normal. Now that Microsoft has done it, perhaps it will be less and less acceptable for companies like Facebook and Yahoo! to leave their users in the dark about government requests for their data.